require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
  include Exploit::Remote::Tcp
  Rank = ManualRanking

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Exploit Auto-Targeting for Windows',
      'Description'    => %q{ This module is a test bed for automatic targeting for Windows exploits. },
      'Author'         => [ 'thelightcosine' ],
      'License'        => MSF_LICENSE,
      'Privileged'     => true,
      'DefaultOptions' =>
        {
          'WfsDelay'     => 10,
          'EXITFUNC' => 'thread'
        },
      'Payload'        =>
        {
          'Space'        => 3072,
          'DisableNops'  => true
        },
      'Platform'       => 'win',
      'Arch'           => [ARCH_X86, ARCH_X64],
      'Targets'        =>
        [
          ['Windows 2000 Universal',
           {
             'Ret'       => 0x001f1cb0,
             'Scratch'   => 0x00020408,
           }
          ], # JMP EDI SVCHOST.EXE

          #
          # Standard return-to-ESI without NX bypass
          # Warning: DO NOT CHANGE THE OFFSET OF THIS TARGET
          #
          ['Windows XP SP0/SP1 Universal',
           {
             'Ret'       => 0x01001361,
             'Scratch'   => 0x00020408,
           }
          ], # JMP ESI SVCHOST.EXE

          # Standard return-to-ESI without NX bypass
          ['Windows 2003 SP0 Universal',
           {
             'Ret'       => 0x0100129e,
             'Scratch'   => 0x00020408,
           }
          ], # JMP ESI SVCHOST.EXE
          # Metasploit's NX bypass for XP SP2/SP3
          ['Windows XP SP3 English (NX)',
           {
             'Ret'       => 0x6f88f807,
             'DisableNX' => 0x6f8917c2,
             'Scratch'   => 0x00020408
           }
          ]

        ],
      'DisclosureDate' => 'Jan 01 1999'
    ))

    deregister_options('RPORT')
  end

  def exploit
    print_status("This exploit doesn't actually do anything")
    print_status "Target Selected: #{target.name}"
  end


end